Step 3: URL Authorization

The credential is used for future determinations of whether the user
is authorized to access restricted resources it may request. The web server
consults the security policy (derived from the deployment descriptor) associated
with the web resource to determine the security roles that are permitted access
to the resource. The web container then tests the user’s credential
against each role to determine if it can map the user to the role. Figure 28–3 shows this process.

Figure 28–3 URL Authorization

The web server’s evaluation stops with an “is authorized”
outcome when the web server is able to map the user to a role. A “not
authorized” outcome is reached if the web server is unable to map the
user to any of the permitted roles.